[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission

Walker, Jason M (JSC-CD42)[Leidos Innovations Corporation] jason.m.walker at nasa.gov
Tue Feb 13 19:24:49 UTC 2018 

I am encountering a problem after upgrading Samba 3.x to Samba 4.6.4 on AIX.  When trying to update a file in Excel 2016 from Windows 10 clients, Excel gives an error trying to save the file with an Access Denied message.  I first thought it was a locking option and tried many variations of those, but what I have found is that if the file's access mode is 700 (User:RWX, Group:none, Everyone:none), the user cannot save the file; however if the file mode is changed to 740 (User:RWS, Group:R, Everyone:non) the user may edit/overwrite the file.

I do not have an issue editing and saving files with Notepad or Notepad++, so this may be a problem in Excel's odd behavior of creating a new file and overwriting the original.  But I'm not sure how the Group mode bits affects the behavior and whether there is anything I can do to work around the problem.  We very much want to avoid granting any Group mode permissions as we have thousands of users with a shared default group.

We are using ADS mode as a Member Server, and restricting to NTLMv2 and SMB2 protocols.  Excerpt from the configuration file:

security = ADS
workgroup = MYDOMAIN
realm = mydomain.gov
lanman auth = no
ntlm auth = no
client lanman auth = no
client ntlmv2 auth = yes
client min protocol = SMB2
client schannel = auto
client signing = auto
client use spnego = yes
server schannel = auto
server signing = auto
wins support = no
disable netbios = yes
restrict anonymous = yes
server min protocol = SMB2
acl allow execute always = yes
nt acl support = yes
inherit acls = yes
map acl inherit = yes
map archive = yes
map hidden = no
map read only = yes
map system = no
store dos attributes = yes
inherit permissions = yes
dos filemode = yes
unix extensions = no

[homes]
comment = Home Directories
path = /home/PATH/PATH/%U
browseable = no
writeable = yes
create mask = 0700
# If we change create mask to 0740, new files get a Group:Read permission and Excel 2016 can update the files
#create mask = 0740

More information about the samba mailing list